Apple blats WireLurker OS X, iOS malware – but fanbois aren't safe yet
Control servers go dark, crypto-cert revoked ... for now
It appears the WireLurker malware threatening Macs, iPads and iPhones has, for now, been partially neutralized.
Apple told The Reg it has revoked a previously legit cryptographic certificate the malware was using to sign itself: this certificate tricked iOS devices into trusting and installing WireLurker's malicious apps.
Now the Cupertino giant has marked that certificate as untrustworthy, prompting devices to reject any code hanging off it.
"We are aware of malicious software available from a download site aimed at users in China, and we've blocked the identified apps to prevent them from launching," Apple told us.
"As always, we recommend that users download and install software from trusted sources."
However, that is not quite the end of it: iOS security expert Jonathan Zdziarski warns that WireLurker can still read data from an iPhone or iPad without the certificate, and that "additional certificates could be substituted and new copies of the software inserted."
"It would greatly behoove Apple to address this situation with more than a certificate revocation; I’m not scared of WireLurker, but I am concerned that this technique could be weaponized in the future, and be a viable means of attack on public and private sector machines," he wrote on his personal blog.
"It could easily be attached to any software download in-transit across non-encrypted HTTP, such as an Adobe Flash download or other software download.
"There are a number of potentially more dangerous uses for WireLurker, and unfortunately many of them will go unnoticed by Apple in time to revoke a certificate. It would be a much better solution to address the underlying design issues that make this possible."
Meanwhile, a spokesperson for Palo Alto Networks, which this week alerted the world to the spreading WireLurker infection, said the central command servers controlling the infected devices are, at the moment, offline.
The disappearance of the malware's online HQ and the revocation of its certificate will stall what was becoming a growing problem: thousands and thousands of people in China were lured into downloading and installing OS X applications from an unofficial app store that contained the WireLurker nasty.
When that compromised software is run, the desktops and laptops become carriers: the WireLurker code lies in wait for an iOS device to be paired with the OS X computer via USB.
Once a connection is established, the malware uses an enterprise security certificate to silently install malicious apps on the iOS device. This allowed the malware to spread itself even to non-jailbroken iPhones and iPads.
Researchers believe the malware was able to pass victims' Apple ID credentials and contact information back to the command and control server. ®